 Good afternoon. How's everybody doing? Good? All right. Let's talk about attribution now. Clearly nation state on nation state stuff is a big deal. The other night I went to bed, I turned on the television in my hotel room and what did I see but Ted Cruz talking about information security and cyber warfare and nation state on nation state hacking and malware kind of things. So it's very, very important that we get better at this and I think that's what we're going to learn about today. So let's give our next speaker a big round of applause. Good morning. Welcome to big game hunting peculiarities in nation state malware research. Actually for the different audience it's called fuck your attribution. Where's the IDB? So I'm Morgan Marquis-Bois and I am currently the director of security at First Look Media. I also am a senior researcher at the citizen lab at the University of Toronto and I advise a bunch of organizations on security and privacy. You got a great CV. Hello. My name is Morgan. I'm not nearly as busy as Morgan is. I'm a senior malware researcher for Cypher Inc. which is a small startup based in Santa Clara. Next to that I occasionally reverse engineer malware. My spare time give classes on how to learn reverse engineering and hang around at conferences like this one and I'm very happy to be part of the probably most diverse talk in the history of DEF CON today because you have here a female speaker and a speaker of color. I was advised by virus that the diversity panel last year was actually more diverse so that's not true. I think he's cheating. We were supposed to have Claudio here today. Unfortunately he couldn't make it. So we're starting a free Claudio hashtag. Please spread rumors about his imprisonment. So we've got a lot to get through actually. Today we're going to cover a little bit about how sort of antivirus moved to what we're calling antivirus 2.0 and the so called rise of threat intelligence. We're going to discuss a bit about how that sausage is made. Discuss the industry's fascination with sophistication and attribution and how they forget about victims. We'll discuss a novel approach to binary attribution. I'll disun hacking team at some point. And at the end we're going to sort of have like a, because by that stage you will all be experts, we're kind of going to have a choose your own adventure nation state malware analysis session where the audience can help us out attributing a pivot to unreleased a set of nation state malware. But in order to contextualize a list I thought I'd sort of start at at least the beginning of the modern era for a lot of people in terms of realizing that this game was actually going on. So I actually worked at Google when Google was hacked by China. That happened in 2009, however it was publicly announced in 2010. And the reaction was actually kind of interesting, right? Because it led to a lot of finger wagging, bad China, how could you hacking beloved Google, beloved Silicon Valley companies. We learned that actually all of Silicon Valley was owned by China. And then we actually learned that everything was actually owned by China. And at least even more finger wagging. There was a lot of chest beating about how we had to deal with the China problem, China fleecing American companies and constantly hacking everything. And then we learned of course that it actually wasn't just China, but that everyone was hacking everything. And I mean another sort of the things that I think is sort of a Nick's big stage is you probably know a little bit about Stuxnet which sort of there's a variety of hyperbole around it, but you know it's sort of like world's first digital cyber weapon and that sort of thing. It was allegedly a joint effort by the US and Israel to sabotage Iran's nuclear nuclear program. There's actually a variety of malware families that fell out after this attribution. Kaspersky called these guys the Tilde, well called this platform the Tilde platform. So that was Stuxnet and Dooku and so forth. Because of the fact that the attempt files started with a Tilde. More recently I did a bunch of work with Claudio who isn't here as you notice. On some malware that was called Regen. And this was attributed to the GCHQ hack of Belgium, Telco, Belgiumcom. Well on the other side even a bit more funnier. In the beginning of 2015 we uncovered that not even only the British government is interested in operating their own spyware but also the French had their fingers wrenched around Iranian and Syrian institutions. We uncovered malware named Babar which was allegedly written by French intelligence and spying in the Middle East. So earlier this year Kaspersky outed what is allegedly the NSA's malware, the occasional group, so what we actually see is that basically you know all states are using hacking as a means of espionage or at least the larger ones are and the smaller ones probably want to be doing this. Around 2012 we learned that there were sort of commercial companies that were selling this capability to nation states. So WikiLeaks released a spy file which is a bunch of people that went there to sell this sort of capability to various nation states. So most prominently we learned about finfisher hacking team and VooPen. And we learned that they were selling implants and exploits and backdoors and that sort of thing. Which also led to finger wagging and bad finfisher hacking team. And then of course these days we learned that somebody is selling implants and exploits. You know there's probably someone outside of dude dressed in black maybe wearing a black hat who will be easy to find who will probably offer to sell you these things. So yeah there's sort of a commercial scene right now and there's sort of being recently very vigorous public debate about regulation or not regulation and the nature of the implementation of regulation to cover people actually selling commercial capability in this area. Right. So this has actually led to sort of a corresponding change in industry. What I'm going to call AV 2.0. A lot of you will probably be familiar with the sort of the web 2.0 adage if you're not paying for the software then you are the product. Well with AV 2.0 you are the product and you're still paying for the software. So you actually managed to do one better. Yeah but the question now is like actually how did the customer become the product? Well the better question now is what actually the hell is threat intel. So preparing for the talk I tried to find the definition for threat intel and guess what I didn't find anything that would fit one slide. So threat intelligence for us as we understand it is malware watching. So when the malware or when the threat detection industry started it was all about detecting threats. Today what we see is we're watching threats. So what is primarily interesting in threat intel is where is the malware? Where did the malware come from? Who wrote the malware? Who's operating the malware? Since when is the guy operating the malware? And what does the guy actually want with the malware? There's reports being written on this, there's blogs being written on this. There's a lot of money flowing one or another way depending on the threat intel, the infamous threat intel. You can imagine this like I heard a funny anecdote on this how it works like you can imagine a robbery someone breaks into your house and is aiming to steal your stuff that's in your house and you hire a security company which is out to watch your house so nothing gets stolen and the security company goes there and says like no wait don't stop him, watch him, watch what he does, watch what he wants to steal. Then try to find out like still don't stop him because we have to figure out where did he come from. We have to figure out where he wants to go with all the stuff that he's stealing from your house. So you're watching that guy stealing all the stuff from your house, well your security company is still investigating where the guy came from, what he's doing, what his motivators are, if there's political implications. So this is what we see today in the movement from antivirus towards threat intelligence. This led to massive industry working on extra tracking so they were not even only interested in what the threat does but who operates the threat. This is also what will have publicity so having interesting threat actors, interesting operators is worth actual revenue when you can publish on it and gain on marketing and what's even more interesting to me is the fuss that's around numbering of APT's, the naming of APT's, the logo creation of APT's for the sake of publicity. What I just said about the revenue on these interesting actors becomes even more prevalent when talking about nation state malware because nation state malware is interesting for two reasons it causes, it has a lot of public interest, people are interested in what's happening on the cyber warfare scene and secondly the number of targets is actually small. So considering nation state malware a security company can be fairly sure that by holding information back, by not publishing too soon, by watching the actor for a long time, actually a very very small list of customers is actually at risk. Still what I would call these cases of nation state malware is precious, precious because there were so much. How do we find these precious, precious? Let's think about it as a needle in a haystack problem. So researching for a very limited number of samples in a very big number of malware that are processed every day. So antivirus or threat intel industry every day processes hundreds and thousands of samples depending on which report you just, it's about like hundreds to hundreds of thousands of samples. And these are automatically processed and traded. So companies exchange samples, they upload them to various totals, they have the multi-scans, they have them sent on to other threat intel vendors or whatever. But all this big haystack might or might not contain interesting samples, so might or might not contain our precious treasures. Now how do we find these treasures? How do we do the needle processing? So as you might know we both here worked on nation state malware quite a bit and had this very specific problem that we had like massive haystacks and had to find the needles. Now what you do for needle finding initially what you would want to do is use your indicators like you know something about the malware you're searching for and then you request related malware from threat intelligence fees or from telemetry data and see if your indicators and data that's already there. This is one way. By the way the same problem as threat intelligence with telemetry data, you won't find a good definition for telemetry data. A little bit more about this soon. Another interesting source for the needles in the haystack or to find the needles in the haystack is leak documents. This is just a recent phenomenon since the Snowden era that we actually have access to documents describing these very precious needles. They wanted to help us dig through the haystack. Another interesting indicator is infected machines. If you're not at all having big haystacks to dig for, you might just as well post that flight to Syria and ask people for the stuff that they have in their machines. All right. And the last point which for me is the most peculiar one is the gossip. You wouldn't think how much actually top secret information is exchanged at bars after the third drink. This doesn't cease to amaze me. All right. What was that with the telemetry data? And what was that with the customers, the product? So what we have today is what I would call endpoint wars. I like to call it endpoint wars. Let me tell you I started my career at an antivirus company. So I actually know what I'm bitching about. Antivirus company is just recently like some years ago learned that what they actually do is not writing antivirus engines but providing endpoint security products. So what they do is they have endpoint agents. These agents are out on endpoints to scan for indicators of compromise. This was initially called signature, now it's an indicator of compromise or a threat indicator that is being searched for. And these antivirus agents, sorry, input agents do mitigation tactics to protect the machine. But what you also do is exchange data or silent data exchange from the endpoint agent to the actual company operating the product. So this silent data exchange is the infamous telemetry data. How does it work? So here's our endpoint agent which does the threat detection and mitigation. And it's being threat indicators. This is the signatures and the detection patterns that the security company produces. This is being sent out frequently to the agents so they are up to date and able to search for threats in the machine. These agents depend on threat indicators. So what happens is that the agents actually send back Q&A data to the security company which is being fed back into the threat indicators. So threat indicators are improved based on quality assurance data. This quality assurance data is several things depending on threat indicators which could be signature hits, could be timestamps of when the signature hit and which specific binary, could even be the binary itself. So the security company can check the binary that was detected to see if it was a real threat or a false positive. And of course the hit frequencies. So actually these security companies know very well what the agents do, what they detect when and where. This data is the precious telemetry data that is being used for the beautiful blog posts that security vendors aim to write. Where it says like oh we have detections for this in Malaysia and we have detections for this in Sudan so we assume that our threat actor is interested in I don't know what the government of India. Whatever. So this is how it usually works. How is the work backstage? To sum it up we have the signature generation testing. So the threat detection company is building their signature, sending them out to the endpoint and it's getting back data on how well the signatures work. This is really built for quality assurance. But adds the telemetry data that serves for beautiful blog posts. Another phenomenon that we see in this are silent signatures. Silent signatures are detections that are sent out to the endpoint to work silently and generate only Q and A data but no detections to see if the signature actually works or if it might produce like a massive false positive. So a lot of signatures are actually not activated from the beginning but are given some time to actually prove they're accurate. These signatures can not only be used for quality assurance but also serve very well for searching for files without actually indicating the customer that there might be something sketchy on this machine. But this is just a theory. Of course as I mentioned binaries are being sent back to the threat detection company so they can check their signatures and can look at the binaries and can maybe silently sneak some binaries out of the machine with their endpoint. Of course we have the telemetry data that's being produced and summing it up, if you ever install the free security product on your machine, be sure that you're just there for producing telemetry data. And as Morg mentioned the funny stuff is that usually security products aren't free so you're actually paying for contributing to the telemetry. Another interesting phenomenon that we've watched was the frenemies phenomenon. So while digging for our haystacks and searching for our needles, of course you get to talk to other people on the hunt and you find other people interested in occasionally the same malware that you search for. And you'll find yourself in very interesting conversations where people that you who had never thought would talk to you all of a sudden are being very friendly or people who used to talk to you all of a sudden very close up and say like oh no look I saw your email I just didn't have time for like two months to answer. These things happen. Yeah. So the issue is the frequently when you're actually looking for a particular family of nation state malware maybe you're hunting a country. Maybe you notice that New Zealand is doing some particularly interesting operations or something. I mean anyway. Never happened. Hush. So a real world example of this is sort of malware that I worked on for you know with a variety of people for a significant period last year called Regen. So Regen was attributed to the Five Eyes. We'll get to that. But sort of GCHQ, DSD. And that sort of thing. It was allegedly used in the hacks on the European Union and Belgium. Now when I was working on this it became apparent to me that Regen was actually the worst kept secret in antivirus and the security industry. Because a variety of people knew about it and had known about it for quite some time. So I discovered for instance that I mean Microsoft had had a definition of it for a long time. Kaspersky had known about it for a couple of years. Symantec had known about it for a couple of years. So somewhat naively. I suspected that they wouldn't publish. And then somehow it leaked that I was going to publish that week and then Symantec published a report on Sunday night bogglingly which they have never done before. And Kaspersky followed a few hours later and then my report came out the next morning. Just imagine how hard it is to actually get team going on a Sunday night. Now I'm not bitter about this. It's just, you know, that's the game, right? But no, I mean seriously this actually happens when you're actually doing this type of work is that you actually, you know, you notice sinkholes have been done by this company and these people uploaded buries. And then actually all of a sudden you'll see that like sort of five or six different people in the antivirus industry are searching for the so called super secret malware that you're searching for. And you're all kind of like working on it. But then wait, who's actually releasing this? It gets very tricky, very fast. All right. Before we actually get to our big game that we were hunting we wanted to speak out to our friends in Africa who are still sad about Cecil being murdered. And I wanted to tell you that no actual big game was harmed in the making of this presentation. All right. So we actually forget about Cecil a lot as an industry, right? We're more interested in the gun that shot Cecil, how sophisticated it was, who manufactured it? You know, was the person that made the bullet compliant or complicit? You know, or both, right? I mean these are both interesting questions. We sort of forget about, you know, actual victims or targets really, really fast. Because as I said, there's this kind of, you know, twin obsession with sophistication and attribution that actually kind of fuels most of the reports on this. So I sort of noticed this perspective really illustrated when I went to an antivirus company recently. So actually right now I want to do a small test. Are you guys familiar with, Google does this kind of state sponsored warning banner, right? So if they think a user of Google has been targeted by a nation state they stick a word in your Gmail where they say, you know, we think you've been targeted by a nation state actor you should probably flee in terror. I don't remember the official word. But are you guys familiar with this? Yes. How many people here have actually received that warning? Yeah, it's not too bad, a couple. So I went to this conference in the Middle East, right? It's called the Arab Blogger Summit. It was primarily people who had done a lot of political writing during the Arab Spring. Fair and balanced reporting on how their governments were not very keen on freedom of the press. And I asked the same question and roughly about half the audience put their hands up. And so I was at this AV company recently and this guy says to me like, hey, where did you find interesting sample X that you wrote about the other day? And I said, well, it was actually sent to me by some activists who were targeted who I met in the Middle East. And the guy was like, oh, that's cheating. I was like, cheating. Because I'm supposed to do haystack processing, right? Like if I'm not actually sitting there sifting vast families of malware obsessing about the sophistication then this is cheating. That's I mean like this whole industry is actually kind of messed up when it comes to what it's interested in and what it thinks you should be doing in terms of this research. The actual effect, I mean, malware is used as espionage. It's sort of like a tool, an instrument policy basically. And so in some places, you know, that policy is what we might consider somewhat draconian. So I'm going to run through this pretty quickly. But this guy I spent a couple of years tracking the digital campaigns that are sort of accompanied the hot conflict going on in Syria. Now this guy was talking to a helpful NGO aid worker a lot. His computer was compromised, well actually, their computer was compromised, sorry, the NGO worker. Tomor was seized by the Syrian secret police, they beat and tortured him. And they had all the records of his Skype conversations, emails, so on and so forth. And this always stuck with me. That's actually the hard drive. The interesting story with this is it got smuggled out of Syria overland to Lebanon where it was sent to Europe and then finally FedEx in the US with me. I actually got it in a bag here on stage because no one leaves anything interesting in their hotel rooms at DEF CON. But he said, my computer was arrested before me. And that actually always stuck with me. This woman's name is Alasha Habi. The nice looking guy next to her, his name is Gazi Faran. He, well, you might know Alasha Habi's name if it rings a bell because she was actually Finn Fisher patient zero. So Finn Fisher is a sweet of tools for governmental intrusion that was sold by a German company. And they did a bunch of really interesting things like sell it to Egypt during the revolution and so forth from the Bahrain government. When I did the first public identification of this a couple of years ago, she was actually the first person who was targeted, the person who sent me her samples. Now she's a London born economics professor who spends a lot of time tracking the sale of arms to Bahrain. Her husband, Gazi Faran, was seized and they got no word of what happened to him for 48 days for, well, what was it officially? Spreading misinformation about the government largely in the forms of comments he made on Facebook. I'm Edman Saw. Nice guy, pro-democracy activist in the Middle East. I believe he's also an advisor to Human Rights Watch. I believe his official charge was insulting the office of the shake. So what he did is he signed a pro-democracy position. Now he spent a couple of years in jail and when he was giving talks after this, playing closed thugs was showing up and beating him up and stomping him and he had no idea how they were tracking him. So I did forensics on his machine and I found malware by these guys. I'm not sure anyone here heard of hacking team. I know, I know, right? That's funny because they got hacked, yeah, yeah. But in this case, attribution was on that tricky. For a brief period the malware actually pointed to this address which is a tiny range which belongs to, wait, is that the office of the shake? Sweet object. So yeah, I mean in this case it was actually reasonably easy to find out who was actually doing spying on him. Which brings us to Mr. Alberto Nisman. Some of you guys in the audience may be familiar with this case. So he was an Argentine attorney who was about to bring charges against the president of Argentina and other high level politicians for a cover up of a terrorist attack which killed 94 people. Four days before this was about to happen he was found dead in his apartment. There were, it was ruled a suicide. Apparently he shot himself in the head. Although there were no powder burns on his hands. The suspiciousness around the manner of his death actually led to protests in Argentina. And where things get even weirder is it was actually published in a very small Argentine news outlet that police had done forensics on a variety of his devices and then uploaded files to an online virus scanning service to see if they were suspicious. And they found one that was. And it was called, my Spanish is awful. Strictly confidential. Happy to help. Right. And so I mean at the beginning it's kind of a little confusing because they say this was found on his phone. I mean the malware is actually for windows. But as it turns out the conditions around the forensics of his physical devices get even murkier and murkier. His phone was tampered with as was his computer and so on and so forth. Well what can we do? Well we can extrapolate a bunch about the actual targeting. So the way you do this, you search for the sample. One hit. One upload from Buenos Aires, Argentina. It is related. It has a command and control domain and a bunch of other samples related to it. So the people that were targeting him were targeting other people using political bait. Network based indicators suggest to us that the actors were based in Argentina and Uruguay. We do. The actual malware itself is kind of interesting. Much like a lot of stuff. It started as a proof of concept. Someone actually wrote a piece of proof of concept malware for Android. And the idea was they just wanted to prove that you could spy on Android phones. It was called Frutus. And then someone had the great idea of selling it. And so it got rebadged as ad wind and sort of popped up as a reasonably cheap sort of commercial back door for Windows Linux OS 6 and Android. It then got rebadged again as unrecom. Another piece of for sale malware. And then we've recently seen it doing the rounds and targeted attacks as alien spy. And as you can see from the screen it does, it's most commonly Spanish language and it does a variety of stuff like it'll turn on the microphone of your laptop or cell phone so you can sort of listen to ambient conversations around the device. You can even take pictures of people through the camera. Gather messages, emails. That sort of thing. This is some of the other targeting that the same group is doing. I can't tell if the document is real or not. So the lure document which sort of is bound together with the implant looks at that from the embassy of Ecuador and pertains to the sale of fighter jets from Brazil. So it's sort of definitely regional targeting around that area with sort of political themes. As I said, indicators point to people in Argentina and well, actors based in Argentina and Uruguay. However, you know, we also see the use of hosting services in the US, Germany and Sweden like GoDaddy and all that sort of stuff that you'd expect to see. So I mean, could have been anybody, right? Maybe. And his death was definitely suicide. Yes, sir. You saw some examples now attribution could work. Sometimes it's tricky, sometimes it's really easy, always depending on how smart your actual adversary is. In that case, in the case of Babar, before I mentioned allegedly French malware, attribution was semi-tricky as I would say because I didn't actually, when working on the malware, not do any attribution because the attribution had already been done. In the case of Babar, Babar is an espionage trojan which was allegedly written by French intelligence and the attribution actually was made through a leaked document which was published by the Spiegel earlier this year saying that the Canadian intelligence service had found these trojans on machines in Canada and attributed them to the French. So I mean, the Canadians did a good job there, I would say. I actually totally agree with them. But, of course, in real life, we don't always have this opportunity. Furthermore, Babar was not the only trojan being used by the same operators. Babar came with brothers and sisters. One of them, the infamous bunny malware. So Babar was an espionage trojan. Bunny was a scriptable bot incorporating a Lua engine and downloading Lua scripts to partially change its behavior at runtime. It was a very smart trojan but there was more. There were other families, namely Casper and Dino and a Denial of service bot named NBOT. And we researched these samples and grabbed them all from online repositories and said, oh, yeah, these look like from the same authors and published our reports. And then people came like, why are you so sure these all belong together? I mean, of course, there's all the cartoon names but especially for the NBOT for the Denial of service trojan, we had a serious issue with actually proving our statements to say, okay, yeah, we're sure that these were actually operating, but allegedly French intelligence. So what would we do? How would we help this problem? You might have seen a lot of these blog posts saying, oh my god, we found more samples belonging to Stuxnet. We found Dooku 2, which is related to Dooku 1. Supposedly we found equation which is related to Stuxnet in some sort of wicked way. All these statements, they never came with any proof, any understandable proof, any transparent documentation how the analysts got to their results. So we're proposing here today's a method on how to transparently prove that two binaries are related or not related because actually already by linking two binaries together or by linking two Miller families together, one can do a suitable conclusion on who the actor was. If like, for example, in the case of the bar, we knew that the bar was mentioned in the documents, the document side was France. Then we knew that the other families we were working on were related to the bar so we could do our attribution chain and say, okay, this is the tool set of the French intelligence service. How did we do this? So Miller attribution as you might have recognized is a misery business. What you usually want to know is who wrote the malware, who controlled the malware, who were the victims and what was the actual aim of the operation means what was the malware after. The problem is if you have ever done any reverse engineering and worked on a binary, you will know that the binary actually doesn't tell you anything of this. The times when malware authors wrote the names into the malware, that was back in the 90s, these days are over. You can't actually read from anything inside of a binary who was the operator who wrote it and in some cases that's the same people. So as you saw with the Niesmann malware, the people who wrote the malware, in no case at all were the same people who operated the malware. Someone bought that thing and used it later on to attack Alberto Niesmann. So the problem we have there is that we want the binary, we want to put it into a context but we can't get to a context from the binary. What we can do is we can get to a binary in a context from the binary which would be a win situation. So what we want to do is like linking binaries together to find for example, we have these set of binaries and they look like they're related to the flame malware. So we can conclude that the operators of this malware might have been the same as the ones who operated flame. How do we do this? I don't know, let's first get back to you two. Academics, of course, we did serious research here. What did academics say to this? There's already research being done on how source code can be attributed to an author. So with text style, one can say if you have like a certain set of samples for source code, you can perform machine learning and certain attributes extracted from these samples to determine who the actual author of the source code was. This works fairly well on source code if you have one author writing some thousands of samples or hundreds of samples to actually extract enough attributes to train your machines. The problem you have with binaries is you don't have any more handwriting left in the binary after the compiler compiled the source code into the binary. You don't see white spaces, you don't see variable names, you don't see comments, you see nothing but the binary and have massive influence from the compiler itself. Another problem that we face, especially in nation state malware, is that you usually don't have one author writing a binary but a team of authors and a team of authors might even change over time. So determining that one person was like writing on this binary won't help you anything unless you find the actual operator. So these are our problems. How do we counter this? The method we propose is to say the datafication of the reverse engineering results that we have. So we went on like what do we see in the binary that tells us these two binaries are written by the same author and went on to get a list of all the attributes that we found helpful on this way. Very important on this way is that the attributes that we gathered for describing our binaries were gathered from different domains which means we do not only look at the malware traits, we do not only look at the techniques the malware uses, we do not only look at overlapping source code because as you might know source code can be copy pasted by about anyone, not only the one who originally wrote it. So we try to grab attributes from at least four different domains could be more and could even be more attributes but to spread the probability to even out human and compiler influence we try to grab as many attributes as we could possibly get our hands on. Another reason for doing this is of course attributes can be faked. You might have heard of false flags so if you're a malware author you don't usually want anyone to recognize your malware or to attribute it to anyone and to find related binaries. So by grabbing as many attributes as possible you can even out fake attributes or even detect fake attributes and possibly find false flags in the binary. The assumption is that it's impossible to falsify or randomify all of the attributes so if you collect as many as possible you're good and you can even out individual human influence because as mentioned you are not interested in the individual guy who wrote the piece of code but you want to know who operated it and who used it and who stole the data. Here's all the attributes that we proposed in our paper. I'm sure you can read it very well and better memorize them all. I'm kidding. These are the four categories that I was talking about. The string constants in the binary we found very helpful. The implementation traits which means how specific activities that are repeatedly used are performed, how memory allocation is performed, how constructors and deconstructors are implemented if there is special exception handling happening etc etc. The third column will be custom features which is especially interesting in malware because malware repeatedly does the same things like gaining persistence or implementing encryption or classification techniques or implementing evasion techniques and if you're someone writing malware you generally do not implement these like several times over just to be evasive because these are usually very expensive to implement because usually it's hard to find people who actually are able to implement these traits. The fourth column will be the infrastructure to raise the bar even higher so also infrastructure as CNC servers or people logging into CNC servers or geo locations are very helpful in linking binaries. Okay, so here's our proof of concept. I'm sure again you can read a lot on there. Now what I actually wanted to show you is this is the proof of concept on the animal farm malware where we try to find attributes linking our cartoon malware to the denial of service part that I was talking about. The yellow lines in there indicate that attributes overlap and as you might also be able to see there is that actually the overlapping is very much in the eye of the analyst. So I went on to grab all my attributes and describing the multi-threading model, describing obfuscation methods, describing dynamic API loading techniques, describing all these things and it looked like does this look similar and figured yes it does. What does it tell me on the telemetry on Babar or the binary telemetry on Babar helped us link the other different families to Babar which would be Bunny, the denial of service but Enbar, Casper and Dina and linking them with each other. And actually by doing so we were able to create a much bigger picture than we actually had from only the Babar malware. So we knew that our operators would do a espionage using Babar that they would spread the malware through spearfishing within Adobe serial day that they would do espionage in Syria because Casper was found on machines in Syria and also in Iran because Dina popped up in Iran and most peculiar given that this might be the French government is that they ran a denial of service botnet in 2010. Now we didn't figure out why the hell French would need a denial of service botnet. However of course there are several problems not to get into too many details. The technique is not actually able to do authorship attribution so by linking binaries together you still don't know who actually wrote it. It's a lot of manual work of course. You need to reverse engineer a lot and get all the features. There's very few automation and machine learning possible in there and the interpretation of course is always in the eye of the analyst. So we're going to talk a little bit about you know I guess attribution in our industry is done in a variety of ways right. So you have what I call soft attribution. Like well this malware family is linked together because they all have a tilde D as a temp file or this malware French government was written by Dino Dizofi because it's called Dino. So a good example of soft attribution is actually the work that we did on region right. So we're looking at this complex family of malware. It's very sophisticated. It has lots of moving parts and we're looking at it over a long period of time maybe a year. Now it actually starts off in this mailing list. Someone actually posted people were talking about difficult to reverse samples of Chinese malware and someone posts this and says oh look at this stuff and you know crickets chirping chirping. I mean all of a sudden someone replies back like wait I don't think that's China. And so you know we sort of keep searching and we find more and more samples until we ran into this one. Now this was actually a zip archive which had as you can see the underscore sample. That's a region sample. This actually looks like the results of forensic analysis on a compromised machine. So there's an output file from a custom forensics tool which bears the Fox IT imprint. There's a process monitor log which is a Windows tool that you use to inspect a variety of things about the system. And this actually gives us the name of the system that was analyzed and where it was. And so what we get is we get you know user domain Belgecom and the name of the user and so forth. Now for those of you that have reasonably long memories you'll remember that Britain's GCHQ hacked Belgian telecoms firms. And so the timing is right we've got this complex malware on Belgecom systems and so on and so forth. So I mean you kind of know but I'd actually pull out a soft attribute because it's not really like hard proof. You don't have someone standing there with their hand on their code saying this was me. However we did actually end up getting that. Leaked out of the Snowden documents was a bunch of code which as it turned out was a region plug-in. Our Kaspersky said looking at this code closely we can conclude that QWERTY malware is identical to blah, blah, blah region plug-in. A friend of mine I think said it better which was even Blind Freddy could see that QWERTY was a region plug-in. And so I mean that's what I call hard attribution is you can actually have like any say documents full of code to this malware which links back and so forth. The issue when you're actually producing research on these areas is that you know legal spies are actually frequently obliged to lie about the nature of their spying. You know DNI Klapper was caught in a reasonably difficult position when asked in front of the government and television in front of the nation whether or not the NSA was spying on millions and millions of Americans. And so he kind of scratches his forehead and says you know not wittingly. Which he then sort of goes back and does this like once I came out that he lied sort of he sort of hedged and said well he said the least deceitful thing that he could at the time. I mean this has actually gone on with a variety of actors that sell this capability in the industry. Sort of Fenfish's lies about selling to Bahrain in Egypt. As any of you have looked at the hacking team dumps they just have stacks and stacks of sketchy lies. In a citizen lab some of the work I did there with Bill and Claudio and others pointed to the sale of this commercial malware to the Sudanese government. After that the UN actually asked this company did you sell to Sudan. And they were like no no no not us not us. But their internal records showed that they received almost a million euros from the government of Sudan and their internal messaging was like we really need to avoid being mentioned on this. So you actually can't expect when you produce reports about government espionage that someone's actually going to read them and get public response and be like well you got us good on you. That's sort of not really how it works. I mean hacking team was a really interesting case and that they actually had listed out there. This is a slide from an internal presentation there about the people that they were worried about. So hacking team was worried about citizen lab, human rights watch, privacy international and a variety of other things. It seems that they probably should have been worried about anonymous. Well I should point out that if you're worried about democracy activists and people with human rights concerns worldwide you should probably change your business model. Now the lies actually continued even up to the point of their leak where the sys admin actually said attackers are spreading a lot of lies and it's simply not true. This leak's torrent contains a virus to which the former Twitter security lead John Adams said know the torrent contains all of your viruses which you sell. Which I found particularly funny. I mean things got more and more peculiar. Hacking team don't particularly like me. They issued a statement about me saying that I'd been a tireless wolf crier on the issue of privacy as I defined it and therefore I was helping terrorists and pedophiles and other people. Which I thought was quite hurtful actually. But I'm sure it wasn't personal. I mean they mentioned me 117 times in the mail archive by name by Nick maybe another like 45. And then of course there's the photos and audio recordings of me which is gets weirder and weirder. And this is the most bizarre one is that they actually say in this internal email they have code names for customers. So Phoebe. Who could that be? Right? And I mean in great obseq they even have a link in that which is FBI quietly formed secret of net surveillance unit. So as it turns out they actually say meeting with these people went very well. If anything good came out of the citizen lab articles it's that it brought us them to contact us to see if it was true. It was more than they expected thank you citizen lab. So the FBI read a report that I wrote and went ha Malware looks pretty good. Maybe we should buy it. So hacking team I want my 15% sales cut. That was weird. That was really weird. Stuff gets stranger and stranger. We are getting harassed so I am going to have to skip to the fun bit which is the choose your own adventure Malware story with something a little bit new. Now we had difficulty naming this. So we called it Cheshire Cat. Sure. And while working on Cheshire Cat of course we tried to stick to industry standards on naming mainly. So we went through the APT numbering and hello. You are going to silence us and stop us from releasing an unknown government spying tool. You know what? If you can do it in seven seconds I will not stop you. Can't do it. All right. You really? This is really funny. They are trying to silence us. It's actually a tool of the government we are just about to out. No, I am not shitting you. This is pretty messed up. I am not a tool of the government. You guys have had 50 minutes. You are a tool of the government. I am a tool. It's because we are trying to speak the truth. It's so sad. Sorry guys. Don't blame me. Blame the man. Possibly do it for five minutes. I mean we can try to do it really quickly. Do you want to give him three minutes? Cheshire Cat, I want to stick to the cross strike convention. It doesn't have anything to do with it. But we found so interesting samples like being active from 2002 to 2011. We said this is a choose your own adventure kind of attribution thing. So we have an actor being active for like almost ten years. This is really interesting. The only other malware families that have really seen around this long. You have stocks net, equation, region. 2009 is a really long time to be actually writing like a contiguous family of malware. Right. It was a rather curious family of malware. So yeah, of course it would check for security processes, whatever. But it would also talk to a driver on the machine and orchestrate other processes which is like very stealthy. Talk about the 16 bit stuff. That's fine. Okay let's skip that. So yeah, I did some cold stuff on the machine. But what was more interesting was really prepared to run an old Windows version. So it was actually built in 2002 but prepared to run on Windows 95 to an ME. And actually had a check built in to check a PE header that was valid or not. And the search for the NE value which is like the new executable bit. I don't know, I'm rather a young reverse engineer, a new executable. It was quite before my time that was built for Windows. No, sorry for Microsoft DOS 40. DOS 40. 16 bit systems. All right. Let's go on. Next time. So yeah, the next set of malware related to this that we found is from the more modern era 2007, 2009. Has a bunch of implementation traits which suggest that it was being used to target NT4. Which was actually pretty old, even in 2007-2009. Might be a good time to remind you that governments are really awful at updating their systems. US government for instance complained at length at Microsoft when they tried to deprecate NT4 and XP for instance. Who would want to run XP? Yeah, I was running as a shell extension handler for ICANN handler and was searching for the Progman window to be running in which was the Windows shell before the Explorer.exe, the program manager which was introduced with Windows 3.1 and actually deprecated with Windows Vista. Furthermore, these samples would monitor our terminal service sessions, do some hooking and steal data from the machine and load a custom DLL. Super interesting. We were doing archaeology, great roving, sorry, and had again the same application as in the other samples with Stalometer, we knew they belonged together, surprise, surprise. Very stealthy. Had super stealthy network communication. Lots of CNC servers, 9CNC servers, infrequent intervals polling, very stealthy communication, infiltration. Would only talk like to the CNC servers like very, very few times. Okay, faster. In 2011 we had another sample which would try to pedal around Kaspersky security products, which is peculiar because it doesn't try to enumerate any other security products, so allegedly the authors knew which security products were installed in the machine. So summing it up, we had an actor which was operating for a very long time, knowing very well which machines would be targeted in which operating systems and knowing very well how to make their way out of the network. And what we didn't tell you yet, what is the most interesting thing is that these samples would actually create temp files, temp files which would be dropped on the machine and these temp files would actually start with a tilt and a D. You might remember our introduction. So I, people at DEF kind of love to sing on black hat, right? So when we did this in black hat, we ran out of time, which I boggle you, so time management is so good. And so I was like, well we're going to use the magic attribution eight ball and figure out who did this. And so we took the magic attribution eight ball and it did what it does. And that is attributed to China. Now, so who here actually thinks this was China? Does anyone, before we go off stage, does anyone, the first person who gets it right, I will buy them a drink. I couldn't comment on that, but I felt like I heard some drink. All right, we're out of here. Thank you.